IBM Support

PK68688: IBM HTTP SERVER V6.0- MOD_PROXY_CONNECT MAY TIMEOUT WHEN SSL IS ENABLED AND CLIENT SENDS A SSL RECORD BETWEEN 8K AND 16K IN SIZE

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • IBM HTTP Server v6.0
    --------------------
    
    mod_proxy_connect may timeout when SSL is enabled and client
    sends an SSL frame with a size between 8K and 16K.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED: IBM HTTP Server configurations with all of   *
    * "ProxyRequests on", mod_proxy_connect loaded, and proxy      *
    * clients connecting via a VirtualHost with SSLEnable          *
    ****************************************************************
    * PROBLEM DESCRIPTION: mod_proxy_connect may timeout when it   *
    * processes incoming SSL requests where the SSL record length  *
    * is between 8 and 16 kilobytes.                               *
    ****************************************************************
    * RECOMMENDATION: Generally browser-based clients do not       *
    * simultaneously use SSL on the connection to the proxy server *
    * and the CONNECT protocol of mod_proxy_connect. If a custom   *
    * client that uses both SSL and the CONNECT protocol is using  *
    * IHS as a forward proxy, customers should apply this fix      *
    ****************************************************************
    
    mod_proxy_connect creates a tunnel between the client and the
    origin server, and is traditionally reading from a plaintext
    connection on the client side.  In the case that the client is
    using SSL for the forward proxy connection, mod_proxy_connect
    fails to recognize that new data is available from the client
    because it has been buffered by the GSKit security library.
    
    Because mod_proxy_connect reads data 8 kilobytes at a time,
    only when the SSL record exceeded 8 kilobytes did GSKit have
    an opportunity to buffer the data.
    

Problem conclusion

  • mod_proxy_connect has been modified to always read all pending
    data from the GSKit security library before calling poll() on
    the native SSL socket. This avoids sleeping on a socket for
    which the GSKit security library has already read all
    outstanding data.
    
    This fix is targeted for fix packs
      6.1.0.21
      6.0.2.33
    

Temporary fix

Comments

APAR Information

  • APAR number

    PK68688

  • Reported component name

    IBM HTTP SERVER

  • Reported component ID

    5724J0801

  • Reported release

    60I

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2008-07-08

  • Closed date

    2008-08-06

  • Last modified date

    2008-08-06

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Modules/Macros

  • PRXYCNCT
    

Fix information

  • Fixed component name

    IBM HTTP SERVER

  • Fixed component ID

    5724J0801

Applicable component levels

  • R60A PSN

       UP

  • R60H PSN

       UP

  • R60P PSN

       UP

  • R60I PSN

       UP

  • R60S PSN

       UP

  • R60W PSN

       UP

  • R60Z PSN

       UP

  • R61A PSN

       UP

  • R61H PSN

       UP

  • R61P PSN

       UP

  • R61I PSN

       UP

  • R61S PSN

       UP

  • R61W PSN

       UP

  • R61Z PSN

       UP

[{"Line of Business":[],"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSEQTJ","label":"IBM HTTP Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.0"}]

Document Information

Modified date:
25 September 2020